flankerhqd / jaadas Goto Github PK

Joint Advanced Defect assEsment for android applications

Home Page: https://speakerdeck.com/flankerhqd/jade-joint-advanced-defect-assesment

License: Other

Java 94.37% Groovy 0.01% Scala 0.42% Jasmin 0.09% HTML 1.44% XSLT 1.01% Julia 0.01% Shell 0.09% CSS 0.01% Limbo 0.06% TeX 2.44% Makefile 0.01% Perl 0.04%

soot static-analysis vulnerability inter-procedure-analysis android-applications

jaadas's Introduction

Joint Advanced Application Defect Assessment for Android Application

This is Joint Advanced Defect Assessment framework for android applications (JAADS, original name JADE renamed to avoid potential trademark issue), written in 2014. JAADAS is a tool written in Java and Scala with the power of Soot to provide both interprocedure and intraprocedure static analysis for android applications. Its features include API misuse analysis, local-denial-of-service (intent crash) analysis, inter-procedure style taint flow analysis (from intent to sensitive API, i.e. getting a parcelable from intent, and use it to start activity).

JAADAS can also combines multidex into one and analysis them altogether. Most of JAADAS's detection capabilities can be defined in groovy config file and text file (soot's source and sink file).

USAGE

JAADAS is packed into a single jar archive and I provide a default vulnerability rules file. There're two major mode for JAADAS.

FullAnalysis

FullAnalysis unleash the full power of JAADAS and Soot, including inter-procedure whole-application analysis and inter-procedure dataflow analysis. But it may also consume much time and may not finish on machines with small memory (<16GB). Default is full-mode.

FastAnalysis

FastAnalysis usually finishes in less than 1 minute and is intended for large-scale batch analysis. Inter-procedure analysis is disabled to achieve maxmium flexibility. In normal situations this mode is enough for common audit.

--fastanalysis enables fastanalysis and disables fullanalysis.

Command line for analysis: java -jar jade-0.1.jar vulnanalysis -f 1.apk -p /xxx/android-sdks/platforms/ -c /xxx/JAADAS/jade/config/ --fastanalysis

###-c option -c must be provided as the directory for config files, including taint rules, source and sink, vulnerable API description and so on. If you do not understand the config files content, do not modify them, leave them as it is.

###-p option -p option specifies the android platform directory, which usually just points to ${ANDROID_SDK}/platforms/.

Notice

Soot requires the specific version of platform.jar to be presented, for example, if your analysis target has targetSDK=22, then Soot will look for platforms/android-22/android.jar, otherwise will raise error. If you don't have the specific jar, actually you can just make a symbolic at that position pointing what you already have, say, android-16.jar to make Soot happy. It won't affect analysis result precision.

-f option

-f option specifies the APK to be analyzed.

Output

JAADAS will output result to in a list to console and also writes json-ed result to output/ directory: {MD5_OF_INPUT_APK}.txt. A sample can be find in output directory of this repo: https://github.com/flankerhqd/JAADAS/blob/master/output/92db77bbe1cae9004f11ef9d3d6cbf08.txt

Snippet:

  }, {
    "desc": "sensitive data flow",
    "sourceStmt": "$r24 = virtualinvoke $r2.<android.content.Intent: java.lang.String getStringExtra(java.lang.String)>($r24)",
    "custom": "",
    "vulnKind": 2,
    "destMethod": "<cn.jpush.android.service.PushReceiver: void onReceive(android.content.Context,android.content.Intent)>",
    "paths": [],
    "destStmt": "virtualinvoke $r1.<android.content.Context: void sendBroadcast(android.content.Intent,java.lang.String)>($r27, $r24)",
    "sourceMethod": "<cn.jpush.android.service.PushReceiver: void onReceive(android.content.Context,android.content.Intent)>"
  }, {
    "desc": "sensitive data flow",
    "sourceStmt": "$r4 = virtualinvoke $r2.<android.content.Intent: android.os.Bundle getExtras()>()",
    "custom": "",
    "vulnKind": 2,
    "destMethod": "<com.fugao.fxhealth.receiver.JPushReceiver: void onReceive(android.content.Context,android.content.Intent)>",
    "paths": [],
    "destStmt": "virtualinvoke $r1.<android.content.Context: void startActivity(android.content.Intent)>($r2)",
    "sourceMethod": "<com.fugao.fxhealth.receiver.JPushReceiver: void onReceive(android.content.Context,android.content.Intent)>"
  }, {
    "desc": "sensitive data flow",
    "sourceStmt": "$r6 = virtualinvoke $r2.<android.content.Intent: java.lang.String getStringExtra(java.lang.String)>($r6)",
    "custom": "",
    "vulnKind": 2,
    "destMethod": "<cn.jpush.android.data.x: void a(android.content.Context)>",
    "paths": [],
    "destStmt": "virtualinvoke $r1.<android.content.Context: void startActivity(android.content.Intent)>($r2)",
    "sourceMethod": "<cn.jpush.android.service.PushReceiver: void onReceive(android.content.Context,android.content.Intent)>"
  }, {
    "desc": "sensitive data flow",
    "sourceStmt": "$r9 = virtualinvoke $r2.<android.content.Intent: java.lang.String getStringExtra(java.lang.String)>($r9)",
    "custom": "",
    "vulnKind": 2,
    "destMethod": "<cn.jpush.android.data.x: void a(android.content.Context)>",
    "paths": [],
    "destStmt": "virtualinvoke $r1.<android.content.Context: void startActivity(android.content.Intent)>($r2)",
    "sourceMethod": "<cn.jpush.android.service.PushReceiver: void onReceive(android.content.Context,android.content.Intent)>"
  }]}

Hint

To avoid OOM, add -Xmx option to commandline, e.g. java -jar -Xmx8192m jade-0.1.jar

Build from source code

JAADAS is organized by gradle. Run gradle fatJar at the root of source directory and single-bundled jar will be generated at ./jade/build/ Each directory actually represents a git submodule originally. For simplicity I am combining them to same root directories and you can change it as you wish, track upstream Soot changes.

Technical Description

https://speakerdeck.com/flankerhqd/jade-joint-advanced-defect-assesment

Ideas in Design

https://github.com/flankerhqd/JAADAS/wiki

Prebuilt binary Download

https://github.com/flankerhqd/JAADAS/releases/download/release0.1/jaadas-0.1.zip

Credits

Thanks Soot authors (https://github.com/Sable/soot) for providing such a good framework.

Some Key vulnerabilites found by JAADS

CVE-2015-3854 in AOSP: http://seclists.org/fulldisclosure/2016/May/71
Sogou Input Method Remote Code Execution: https://www.youtube.com/watch?v=3PlJbmAJjW0

Disclaimer:

This is just a research prototype, use at your own risk. The results may contain false positives and false negatives due to the nature of static analysis. Feel free to fork and pull it.

Requirements

JDK >= 1.8 (must)

Scala >=2.11 Tested

jaadas's People

Contributors

Stargazers

Watchers

Forkers

b0b0505 bigfool dptechma dstmath simith003 iamspid3r tamerplatform futurelighthouse terry2012 tangsilian h3arts bgki11er xbalien telnetgmike haidao-git19 npc7 m00zh33 guoyu07 replive majinxin2003 sucof android-leak breagitt coffeevapple heezhoupeng xtxwy security-geeks nagyistge seakinghuster yihong1991 p33kin9 blkstone sigma-random qwe00921 g252691665 gezijun moonight10 blackjacktoken verfly rongqinglee galycannon qiji2015 darktemple9 jyxu2015 wangjl1991 josh200501 liberatorqjw iamlile banana42 syhxsqqzm qqgirllianxin snowdomain expertasif vidocapt yadox sherwel gcxtx webvul shuixi2013 pentagramz zhanglang001 davidliu88 hxlszxy seabreg subrota-mondal doryxin secoba mrmugiwara sjukperro mmg1 aeguy wkmc superf0sh tiandiyixian thor509 qiqi1 chromevsie wj358271938 whulls saislanti misscoconut ylcangel kaithyrookie returnhere pokerfacett wyu0hop dongshen limkokholefork po1lux gitwk86 extrend-xuxw hartl3y94 xuejuns fpxtest e10514001 cronos996 fishso flower-gjh kalikex1 codingpoem

jaadas's Issues

请问在output结果中输出的score是什么含义呢？给出的分数是如何判定的呢？

{
"score": 133.39999389648438,
"md5hash": "1980980716b38a8ea7c28e652b82aedc",
"results": [{
"desc": "webview addjsinterface code exec",
"sourceStmt": "virtualinvoke $r22.<com.energysource.szj.embeded.AdvWebView: void addJavascriptInterface(java.lang.Object,java.lang.String)>($r26, "es")",
"custom": "naive check, may false positive",
"vulnKind": 0,
"destMethod": "",
"paths": [],
"destStmt": "",
"sourceMethod": "<com.energysource.szj.embeded.AdManager: void requestAdvById(int)>"
},

Exception in thread "main" org.jf.dexlib2.dexbacked.DexBackedDexFile$NotADexFile: Invalid magic value: 64 65 78 0a 30 33 37 00

Hi, Flanker
I encountered an issue like this:
`$ java -jar D:\barca\JAADAS\jaadas-0.1\jade-0.1.jar vulnanalysis -f D:\barca\app\system_app_DownloadProviderUi_DownloadProviderUi.apk -p F:\tools\adtnew\sdk\platforms -c D:\barca\JAADAS\jaadas-0.1\config\ --fastanalysis

enabled plugins: implements custom verifier that always return true
Webview js file access misconfigurations
Webview ssl handler impl onReceivedSslError, lead to SSL vulnerability
X509TrustManager empty impl, lead to SSL vulnerability
FAKEID reloaded vulnerability
Check webview save password disabled or not
Scan for ZipEntry vulnerable to unzip directory traversal vulnerability

enabled modules: constapicheck, crash analysis

Using 'F:\tools\adtnew\sdk\platforms\android-23\android.jar' as android.jar
Warning: exception while processing dex file 'D:\barca\app\system_app_DownloadProviderUi_DownloadProviderUi.apk'
Exception: org.jf.dexlib2.dexbacked.DexBackedDexFile$NotADexFile: Invalid magic value: 64 65 78 0a 30 33 37 00
Warning: java.lang.invoke.LambdaMetafactory is a phantom class!
Warning: java.lang.ref.Finalizer is a phantom class!
Exception in thread "main" org.jf.dexlib2.dexbacked.DexBackedDexFile$NotADexFile: Invalid magic value: 64 65 78 0a 30 33 37 00
at org.jf.dexlib2.dexbacked.DexBackedDexFile.verifyMagicAndByteOrder(DexBackedDexFile.java:151)
at org.jf.dexlib2.dexbacked.DexBackedDexFile.(DexBackedDexFile.java:70)
at org.jf.dexlib2.dexbacked.DexBackedDexFile.(DexBackedDexFile.java:96)
at org.jf.dexlib2.DexFileFactory.loadDexFile(DexFileFactory.java:88)
at org.jf.dexlib2.DexFileFactory.loadDexFile(DexFileFactory.java:56)
at soot.DexClassProvider.classesOfDex(DexClassProvider.java:121)
at soot.SourceLocator.getClassesUnder(SourceLocator.java:206)
at soot.Scene.loadNecessaryClasses(Scene.java:1361)
at org.k33nteam.jade.drivers.CheckDriver.prepareMethodTraversal(CheckDriver.scala:77)
at org.k33nteam.jade.drivers.CheckDriver.fastentry(CheckDriver.scala:98)
at main$.main(main.scala:75)
at main.main(main.scala)`

why it shows that no dex file, but it has a classes.dex file in it

Null Pointer Help!

I build the latest version jar from source code. I try to run this awesome project. However, I failed.
I try to fix this null pointer bug but I failed. Anyone idea to solve this problem?

Transforming android.support.v4.view.accessibility.AccessibilityEventCompatIcs...
java.io.FileNotFoundException: /Users/test/android_tool/JAADAS/config/ConstantRules.groovy (/Users/test/android_tool/JAADAS/config/ConstantRules.groovy)
at groovy.lang.GroovyCodeSource.(GroovyCodeSource.java:106)
at groovy.lang.GroovyClassLoader.parseClass(GroovyClassLoader.java:186)
at org.k33nteam.jade.propagation.track.APIVulnManager.initFromGroovy(APIVulnManager.java:40)
at org.k33nteam.jade.propagation.track.APIVulnManager.(APIVulnManager.java:31)
at org.k33nteam.jade.propagation.base.NaiveAPIChecker.(NaiveAPIChecker.scala:19)
at org.k33nteam.jade.drivers.CheckDriver.doNaiveAPIScan(CheckDriver.scala:132)
at org.k33nteam.jade.drivers.CheckDriver.fastentry(CheckDriver.scala:99)
at main$.main(main.scala:75)
at main.main(main.scala)
Exception in thread "main" java.lang.NullPointerException
at org.k33nteam.jade.propagation.track.APIVulnManager.initFromGroovy(APIVulnManager.java:49)
at org.k33nteam.jade.propagation.track.APIVulnManager.(APIVulnManager.java:31)
at org.k33nteam.jade.propagation.base.NaiveAPIChecker.(NaiveAPIChecker.scala:19)
at org.k33nteam.jade.drivers.CheckDriver.doNaiveAPIScan(CheckDriver.scala:132)
at org.k33nteam.jade.drivers.CheckDriver.fastentry(CheckDriver.scala:99)
at main$.main(main.scala:75)
at main.main(main.scala)

Hard limitation of JAVA 8

Application doesn't compiles nor compiled binary runs on java <8 hence might make sense to make a note of this somewhere in readme.

name change: jaadas

the binary jar is still named as jade as well as the folder where binary is created is still named as jade. Is this what's expected or are we changing these to jaadas in near future.

Find "desc": options of program

Where i can find all possibles descriptions of vuln by JAADAS on source code program.

How to use this tool

Could you pls help

Looking for config files in current / working directory.

The application on execution looks for config files in current / working directory. also zip provides them in folder called config but it appears they are searched for in working directory only.

Is it possible to fix the location of config files.

P.S. not an expert on scala and hence need a helping hand.
This seems to be the only blocker in getting it Integrated in AndroidTamer

can please update the prebuilt binary url? its not working

add gradlewrapper

reference: https://docs.gradle.org/current/userguide/gradle_wrapper.html

this should easy out pain for others who may not have gradle installed.

Through the source code building project, the jade package appears to depend on the problem

java版本1.8 scala版本2.11.4 gradle是刚下的最新版4.2.1
检查jade包的依赖情况如下：

去对应目录下寻找发现的确没有相关的jar包

在构建指导中看到需要在根目录下运行gradle fatJar，尝试运行后出现如下错误

刚学习java不久，在工程导入上没什么经验，谢谢！

您在wiki中介绍说Reachability Analysis还没有实现，不太懂是哪个部分还没有实现。

您好，我刚刚接触静态分析不久，我看了您的分析看了很多遍，优化flowdroid这部分从修改污染传播规则到自定义添加漏洞插件，在Reachability Analysis时最后说，还没有实现，不太清楚您是具体哪部分没有实现，是您在前面介绍的从读取文件到扫描是否有权限泄露的函数，这部分没有实现吗？我没有理解清楚，期待您的回复。
另外，从优化JAADAS的角度看，您能提供一些思路吗？我想尝试着去分析理解然后优化它。